If you have root take shadow file and try to crack the passwords using e.g. John the Ripper

Check history files, check users on system, check sudoers

make tcpdump to see what traffic is not encrypted

try to find sensitive content or password in files on OS

other

Run authenticated compliance check from vulnerability scanner to verify OS configuration with template

Run static analyzer on the source code if available

Other

Signalling audit strategy:

It always depends on the audited interface and protocol. Most time it is required the preparation to prepare the stack, protocol encoder and arrange the interconnection before the audit.

Audit appliance protocol stack:

State machine requirements:

For state machine (to bring the link-up and keep the link-up) it is possible to implement basic state machine in audit appliance, other option is just to send the sequence of initial messages to bring the link up. After this it is possible to inject the messages on the link (e.g. protocols Diameter, Sigtran)

If no state machine is required or link setup is simple it is possible to directly inject messages (e.g. GTP, Radius)

From auditing from access segment also the authentication and state machine could be required (e.g. SIP)

Encoder/Decoder requirements:

Messages could be injected by hex/pcap replay, modification of the traffic on different layers

Encoded in the code (e.g. ASN.1 encoder) in the audit appliance

Decoder is needed only for automatic result analysis of for multiple messages scenarios

Interconnection setup:

Directly peer-to-peer with NE

+ But the added value is it is directly facing the NE and no router or other NE on path.

- Most time not practical, because the NE will need to be reconfigured for this and dedicated for the audit.

Audit appliance connect to the network as real NE (interconnect with STP, DRA or IP router) and configure it as roaming partner or internal element, depends of the perimeter which would like to be audited

+ NE does not need to be dedicated for audit

+ Easier/standard configuration of audit appliance

+ Possible to audit multiple NEs

- Possible STP, DRA, other router in path could hide some results or behavior of NE. Also the router could be impacted by the tests.